subject:"Bug#912198\: stretch\-pu\: package spamassassin\/3.4.2\-1\~deb9u1"

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

2018-10-31 Thread Noah Meyerhans

On Wed, Oct 31, 2018 at 10:01:13PM +, Adam D. Barratt wrote:
> Please feel free to upload, bearing in mind that the window for getting
> updates into the 9.6 point release closes during this weekend.

Uploaded. Thanks.

noah



signature.asc
Description: PGP signature

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

2018-10-31 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Mon, 2018-10-29 at 20:28 -0700, Noah Meyerhans wrote:
> On Mon, Oct 29, 2018 at 07:16:18PM +, Adam D. Barratt wrote:
> > > I have prepared an upload for stretch that is a backport of the
> > > 3.4.2-1 package currently in testing. The changelog entries from
> > > 3.4.1-6 to 3.4.2-1~deb9u1 are below. Note that stretch currently
> > > contains 3.4.1-6+deb9u1. The changes in that version are included
> > > in
> > > the 3.4.1-7 entry in the backport.
> > > 
> > > The debdiff for the debian/ subdirectory is attached. I pruned
> > > the
> > > upstream changes, since they result in a large diff, but can
> > > provide
> > > them if you want.
> > 
> > Yes, please.
> 
> See attached.

Thanks.

Please feel free to upload, bearing in mind that the window for getting
updates into the 9.6 point release closes during this weekend.

Regards,

Adam

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

2018-10-29 Thread Adam D. Barratt

Control: tags -1 + moreinfo

On Sun, 2018-10-28 at 23:11 -0700, Noah Meyerhans wrote:
> I have prepared an upload for stretch that is a backport of the
> 3.4.2-1 package currently in testing. The changelog entries from
> 3.4.1-6 to 3.4.2-1~deb9u1 are below. Note that stretch currently
> contains 3.4.1-6+deb9u1. The changes in that version are included in
> the 3.4.1-7 entry in the backport.
> 
> The debdiff for the debian/ subdirectory is attached. I pruned the
> upstream changes, since they result in a large diff, but can provide
> them if you want.

Yes, please.

>   * Add Multi-Arch: foreign headers to package definitions (Closes:
> #850454)

>From an initial look through the changes, this is one we wouldn't
usually include in a stable update. (It's not m-a:same at least, but
I'm not convinced we want to be changing m-a headers in stable in
general, unless they can be shown to fix specific issues, usually in
the upgrade path.)

Regards,

Adam

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

2018-10-29 Thread Noah Meyerhans

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Upstream released spamassassin 3.4.2 last month including fixes for
several security issues. Unfortunately, upstream developers have
indicated that the would not recommend, nor would they support, efforts
to backport these fixes to 3.4.1. In an apparent attempt at keeping the
details of the issues private while they worked on them, they did not
indicate which bugs were fixed with specific commits, and have indicated
that the fixes have been spread across many commits, many of which may
be relative to additional changes not in 3.4.1. The specifics of the
issues, and their repros (if any) have not been made public.

After discussions with upstream and with the security team, we decided
that the best course of action would be to forgo a DSA for these issues,
but otherwise accept upstream's recommendation and update to 3.4.2 in
stretch via p-u. In addition to the security issues fixed in 3.4.2, it
also switches from sha1 to sha256 and/or sha512 for validation of rule
updates downloaded by sa-update, which is a change we'll need if we want
sa-update to keep working when they stop publishing sha1 signatures at
some point in the next several months.

I have prepared an upload for stretch that is a backport of the 3.4.2-1
package currently in testing. The changelog entries from 3.4.1-6 to
3.4.2-1~deb9u1 are below. Note that stretch currently contains
3.4.1-6+deb9u1. The changes in that version are included in the 3.4.1-7
entry in the backport.

The debdiff for the debian/ subdirectory is attached. I pruned the
upstream changes, since they result in a large diff, but can provide
them if you want.

spamassassin (3.4.2-1~deb9u1) stretch; urgency=high

  * New upstream release fixes multiple security vulnerabilities
- CVE-2017-15705: Denial of service issue in which certain unclosed
  tags in emails cause markup to be handled incorrectly leading to
  scan timeouts. (Closes: 908969)
- CVE-2016-1238: Unsafe usage of "." in @INC in a configuration
  script.
- CVE-2018-11780: potential Remote Code Execution bug with the
  PDFInfo plugin. (Closes: 908970)
- CVE-2018-11781: local user code injection in the meta rule syntax.
  (Closes: 908971)
- BayesStore: bayes_expire table grows, remove_running_expire_tok not
  called (Closes: 883775)
- Fix use of uninitialized variable warning in PDFInfo.pm
  (Closes: 865924)
- Fix "failed to parse plugin" error in
  Mail::SpamAssassin::Plugin::URILocalBL (Closes: 891041)
  * Don't recursively chown /var/lib/spamassassin during postinst.
(Closes: 889501)
  * Reload spamd after compiling rules in sa-compile.postinst.
  * Update SysV init script to cope with upstream's change to $0.
  * Remove compiled rules upon removal of the sa-compile package.
  * Ensure that /var/lib/spamassassin/compiled doesn't change modes with
the cron job's execution. (Closes: 890650)
  * Create /var/lib/spamassassin via dpkg, rather than the postinst.
(Closes: 891833)
  * Add libbsd-resource-perl to Suggests (Closes: 910434)

 -- Noah Meyerhans   Sun, 30 Sep 2018 23:44:58 -0700

spamassassin (3.4.1-8) unstable; urgency=medium

  * Fix inappropriate invocation of invoke-rc.d in cron script.
(Closes: 865514)
  * Update systemd unit dependencies to include network and syslog.
(Closes: 864810)
  * Migrate packaging to git, finally.
  * Apply upstream patch to fix regex error leading to warnings in perl
5.26+ (Closes: 869408)
  * Add Multi-Arch: foreign headers to package definitions (Closes:
#850454)
  * Update standards version to 4.1.0.0
  * Remove references to the obsolete syslog.target dependency in the
systemd service file.
  * Clarify the use of the perl-major-upgrade dpkg trigger.
  * Fix spamd service management on package upgrades. (Closes: #865356)

 -- Noah Meyerhans   Sat, 09 Sep 2017 22:37:20 -0700

spamassassin (3.4.1-7) unstable; urgency=medium

  * Ensure that spamd doesn't automatically start upon initial
installation.
  * Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as
it requires users to register. (Closes: #861671)
  * Update the systemd unit file to use the same pid file as was
used in the sysvinit script. (Closes: #808804)
  * Update spamassassin docs to remove outdated gpg version
compatibility note. (Closes: #853913)

 -- Noah Meyerhans   Thu, 11 May 2017 19:45:36 -0700
diff -Nru spamassassin-3.4.1/debian/65_debian.cf 
spamassassin-3.4.2/debian/65_debian.cf
--- spamassassin-3.4.1/debian/65_debian.cf  2016-10-30 09:39:27.0 
-0700
+++ spamassassin-3.4.2/debian/65_debian.cf  2018-09-30 23:44:58.0 
-0700
@@ -25,3 +25,10 @@
 metaD_SENT_BY_CRON __CRON_FROM && __CRON_HEADER
 score   D_SENT_BY_CRON -5.0
 describe D_SENT_BY_CRONSent by Cron Daemon
+
+# As documented in

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

Bug#912198: stretch-pu: package spamassassin/3.4.2-1~deb9u1

4 matches

Site Navigation

Mail list logo

Footer information